A computer network typically includes computer processors or “hosts” that host software applications that provide or request services, or both. The hosts may be network terminals or end stations that do not perform network traffic routing or forwarding functions. The hosts communicate with each other through network devices, also called intermediate devices, such as switches and routers, which do perform routing and forwarding functions. Some intermediate devices are themselves hosts for some routing or forwarding applications and services. Internet Protocol (IP) is often used for sending packets of information between processes running on hosts on a network. As used hereinafter, a server refers to a server process that provides a service and a client refers to a client process that requests a service, unless otherwise indicated to refer to the host or device on which the process executes. According to the Internet Protocol (IP), different hosts have different logical addresses, called IP addresses, which are used by the intermediate devices to route and forward data packets from one host to another.
A local area network (LAN) connects hosts in a relatively small geographic area for sharing resources. Resources shared on the LAN often include data files, devices such as printers, and applications such as word processors. LAN protocols function at the level of the physical connection between devices on the LAN, and the data link between the connection and the operating system on a device. In contrast, IP functions at the level where client and server processes send or receive data directed to each other. Intermediate devices that forward packets on the basis of their built-in, media access control (MAC) addresses are called switches. Intermediate devices that forward packets on the basis of administratively assigned, topologically relevant, IP addresses are called routers.
Many LAN protocols give access to all resources on the LAN to every host physically connected to the LAN. In many circumstances, LAN administrators desire to control access to resources on the LAN by limiting physical connection to the LAN to certain authorized hosts.
An emerging LAN protocol for controlling access to LAN resources is defined by the Institute of Electrical and Electronics Engineers (IEEE) standard 802.1x. IEEE 802.1x provides LAN access control based on physical ports. In this context, a physical port is a single point physical connection, such as a single interface card, to an intermediate device on the LAN. A physical port may include a wireless interface that receives electromagnetic signals. Many intermediate devices, such as switches and routers, each have multiple interface cards. A physical port is an element of one of the interface cards on such an intermediate device. IEEE 802.1x provides a mechanism for authenticating and authorizing hosts attached to a LAN physical port, and of preventing access through that physical port in cases where the authentication and authorization process fail. The standard provides user-to-network authentication.
According to IEEE 802.1x, information is sent from a supplicant process, hereinafter called the supplicant, on the newly connected host to the intermediate device at the physical port. The information sent by the supplicant might be stored persistently on the host being connected; or the information might be received from a human user of the host, such as in response to prompts for user name and password; or some combination of stored and user-supplied information may be used. The intermediate device runs an authenticator process, hereinafter called the authenticator. The authenticator sends a request to an authorization, authentication and accounting (“AAA”) system based on the information from the supplicant. An example of an AAA system is a RADIUS server. The AAA system returns a response indicating whether the connection should succeed or fail. If the response indicates the connection fails, the intermediate device does not forward data communicated to the physical port from the host. If the response indicates the connection succeeds, the intermediate device does forward data communicated to the physical port from the host.
In addition to obtaining access to the network through the physical port, the host also must be configured for network operations. For example, a newly added host is assigned a logical network address for itself, and a network address for the intermediate device that routes or forwards its traffic, among other configuration information. Configuring a host is a tedious process to perform manually. The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which computers using IP can obtain network addresses and other configuration information automatically. The DHCP process is initiated after the physical connection is authorized using IEEE 802.1x.
After obtaining access through the physical port and being configured, a client on the user's host may request services from servers on the network using IP. In many circumstances, user authentication is also useful in IP communications. For example, based on the user of a client process, it is sometimes desirable to determine accounting information for billing purposes, to provide a minimum quality of service (QoS) according to a contract with the user, or to limit access by the user to certain servers, or to perform some combination of these functions. Many systems track such functions based on the IP address of the client. Intermediate devices serving as conventional gateways to the Internet, for example, control access to the Internet based on an access control list made up of one or more IP addresses. To utilize such systems, a user-to-IP-address authentication process is needed.
There is currently no connection between the user-to-LAN authentication process and the configuration processes, such as DHCP servers, that provide IP addresses.
One approach is to require the user to provide information for the authentication and authorization system to the configuration process that provides the IP address for the host. This approach would also modify the configuration process to send a request to the authorization and authentication system, such as the RADIUS server, based on the information from the user. Based on the response from the authorization and authentication system, the configuration process would assign an IP address associated with the privileges to be afforded to the user, such as accounting, QoS and access to LAN resources.
There are disadvantages to this approach. One disadvantage is that the user is twice subjected to entering the same identification and password information in response to prompts—once for the IEEE 802.1x process and again for the configuration process. This doubles the burden on the user, doubles the chances of a entry mistake that causes the connection to fail, decreases the quality of the user experience, and hinders the perceived utility of the network.
Another disadvantage is that a configuration process on the user's host, such as a DHCP client process, would have to be modified to prompt for the needed information. However, this approach is not practical because tens of millions of DHCP clients have already been deployed over the last decade without such a modification. It would be expensive and take many years to even replace a significant fraction of the deployed DHCP clients.
Based on the foregoing, there is a clear need for techniques that assign network addresses based on a connection authentication process.
In particular, there is a need for a DHCP server that assigns IP addresses based on results from processes following the IEEE 802.x standard, without requiring changes to a DHCP client.